Hatless once again. On Tue, Jul 12, 2022 at 3:08 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> The tree walk solves the problem IF the policy has boundary information > provided by the domain owner. Without that, aren't we substituting one > insufficiently reliable solution for another insufficiently reliable one? > Another way to look at it: The PSL was never designed to provide the information for which DMARC has been using it. Hanging DMARC on it was a reasonable thing for a proof of concept, which is what RFC 7489 really was; it happens to give the right answer most of the time, but that's something of a coincidence. Here we're taking control over the input to the Organizational Domain and Policy Discovery algorithms, which is a more defensible way to do things if you're heading for the Standards Track. The tree walk also eliminates any concern that two compliant operators are using different versions of the input data. There is no guarantee that my copy of the PSL is any more or less up to date than yours is, leading us both to different determinations about the very same message. But once we're using the DNS for this, then, other than staleness caused by short-term caching, we're all talking about the same thing. There is indeed more of a burden on sending domains and registry operators to publish the needed markers in the DNS before this will all work the way we want it to. My view is that the working group perceives the risk of continued use of the PSL to be less favorable than taking on that burden. The tree walk has been a goal for years. Changes to nodes in the DNS tree are visible immediately; changes to the PSL take an unknown amount of time to be published and deployed globally. Changes to the DNS are made by the operator in charge of the name(s) being updated; as far as I'm aware, changes to the PSL are made by a limited community not involved in (or perhaps even interested in, or cognizant of) DMARC. If we want a migration period, some kind of hybrid model might work: Do the DNS tree walk, but at each step, if you find you've hit a name that's present in the PSL, you can stop and pretend you found a marker you're looking for. When those markers are all (or mostly) actually published, then stop doing that. For bonus points, find some non-DoS way to notify those operators that they really should be publishing the missing markers. (The 1990s DNS "lame delegation" stuff comes to mind.) We just need to remember that SPF had a not-so-great transition plan, so we need to be careful how we craft this one. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
